WinRAR has a critical security bug: here is the fix

Martin Brinkmann
Feb 21, 2019
Security
|
35

WinRAR is a very popular software to create and extract archives on Windows and other supported operating systems. Part of its popularity comes from its support for different types of packing formats, another that the software's trial version never expires.

A bug was discovered recently that affects all versions of WinRAR prior to 5.70. The bug, a remote code execution vulnerability, affects all WinRAR versions and thus all 500 million users that use the application.

Security researchers discovered a flaw in a library that WinRAR uses to extract files from archives packed with the ACE format.

Attackers can exploit the vulnerability by pushing specially prepared archives to user systems. The bug can be abused to extract the files into any folder on the system instead of the folder selected by the user or the default folder for extracted files.

Tip: Find out how to repair and extract broken WinRAR archives.

Attackers could select to extract files to Windows' startup folder so that programs are executed on the next start of the system.

The researchers published a video that demonstrates the exploit.

WinRAR uses the content of the file to determine the archive format that was used to compress the files; means, it is not enough to avoid any ACE files for the time being. Attackers could rename ACE files to RAR or ZIP, and WinRAR would handle them just fine.

The library that is responsible for the behavior is UNACEV2.DLL. The maker of WinRAR removed the file from the latest Beta version of WinRAR 5.70. Users can upgrade to the Beta version to protect their devices from the security issue.

Policies may prevent the installation of Beta software on devices, and some Home users might not want to install Beta software either on their computer systems.

These users and administrators may delete the vulnerable file, UNACEV2.DLL from the WinRAR directory to protect the device from the issue. Here is how that is done:

  1. Open Explorer on the Windows PC.
  2. Go to C:\Program Files\WinRAR if you run a 64-bit version of WinRAR.
  3. Go to C:\Program Files (x86)\WinRAR if you run a 32-bit version of WinRAR.
  4. Locate the file UNACEV2.DLL and either rename it or delete it.
    1. To delete: select the file UNACEV2.DLL and delete it either with a right-click and the selection of Delete from the context menu, or by using the Del key on the keyboard.
    2. To rename: right-click on the file and select rename.
  5. Restart the PC.

Note: This removes the option to extract ACE files using WinRAR.

I could not find information on the popularity of the ACE format. I remember that it was quite popular (and controversial) more than a decade ago.

Now You: Do you use WinRAR? My favorite program is Bandizip right now. (via Hacker News)

Summary
WinRAR has a critical security bug: here is the fix
Article Name
WinRAR has a critical security bug: here is the fix
Description
All versions of WinRAR prior to 5.70 are affected by a security vulnerability that allows remote code execution when extracting ACE archives.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. ferny said on April 30, 2019 at 9:14 am
    Reply

    This exploit is now being used to infect user with ransomware. That is at least to those who are still running older versions of WinRAR and such.

  2. manicmac said on February 25, 2019 at 1:36 pm
    Reply

    Have winrar 3.5 on multiple pc’s. No idea why the article claims all versions prior to …. 5 or whatever have this file. FALSE … none of the pc’s I have the earlier version have this file anywhere on the pc.

  3. MeH said on February 23, 2019 at 10:33 pm
    Reply
  4. compressed said on February 22, 2019 at 6:34 pm
    Reply

    What about the unrar.exe standalone executable from RarLabs? Some other software projects make use of that.

    I wish everyone would stop using the .rar format altogether. Just use .zip if there is no need for compression or .7z if compression is important.

  5. Bill said on February 22, 2019 at 3:18 pm
    Reply

    I wonder if Peazip is affected? I’ve been using it for 2 years now and it’s free!

  6. Emil said on February 22, 2019 at 9:23 am
    Reply

    A simple search showed that the compromised unacev2.dll existed more than once on my system, it’s not just Winrar. I had it in several others like Peazip and Far commander too. Take care ppl.

    Yes, the ACE format was controversial around Win98 times because the author reportedly used false benchmarks or something like that. Rar won the format war because of its features.

  7. pHROZEN gHOST said on February 21, 2019 at 10:35 pm
    Reply

    It’s troublesome to know how long this has been around.
    Glad I have not been a WinRAR user.

  8. Laura said on February 21, 2019 at 9:05 pm
    Reply

    I also deleted The Ace32Loader.exe that i also in The WinRar directory And The program works ok

  9. Darren said on February 21, 2019 at 8:24 pm
    Reply

    Seeing someone pass around an ACE file in 2019 would make me suspicious by default.

  10. John Fenderson said on February 21, 2019 at 5:37 pm
    Reply

    I use WinRAR regularly, as it’s the only Windows program that I know of that can handle Linux compressed archives.

  11. George said on February 21, 2019 at 4:54 pm
    Reply

    Thanks for the info, I’ve deleted the .dll file. I’d recommend you also search your PC for it, since other programs may be using it. For example, it was in my DeliPlayer installation (a brilliant, yet now abandoned music player specialised in Amiga music formats).

    1. MeH said on February 23, 2019 at 9:12 pm
      Reply

      Just use K-Lite Codec Pack Mega that can play any audio and video format available on planet Earth ;)

      https://www.CodecGuide.com/download_kl.htm

  12. Paul(us) said on February 21, 2019 at 3:55 pm
    Reply

    Thanks for the heads up and the fix, Martin.
    I always have liked the WinRar file archiving program.
    The only question I am wondering about is do other file archiving programs like 7 zip, Bandzip, Autozipper, and others handle that ACE format differently and because of that are not at risk?

  13. Ross Presser said on February 21, 2019 at 3:21 pm
    Reply

    A small amount of info is here:

    https://en.wikipedia.org/wiki/ACE_(compressed_file_format)

    The UnACE.dll that is the source of this vulnerability is something the author provided to developers free of charge (but not open source). There is open source (BSD-licensed) code in Python for extracting from ACE.

    Only the proprietary WinACE for Windows, or ACE for commandline Windows, can create ACE archives.

  14. Tom Hawack said on February 21, 2019 at 2:34 pm
    Reply

    I have only two occurrences of unacev2.dll :

    Bandizip 6.20 : C:\Program Files\Bandizip\unacev2.dll
    Total Commander 9.21a : C:\Program Files\TotalCmd\UNACEV2.DLL

    Bandizip handles all my compressed files
    Total Commander includes compressing/decompressing several formats of which ACE

    I hesitate to rename these two occurrences given they’re part of an application.
    I guess Bandizip and Total Commander will both provide updates soon to mitigate this unacev2.dll issue.

    1. MeH said on February 23, 2019 at 9:05 pm
      Reply

      There is no UNACEV2.DLL in Bandizip 6.21 ;)

    2. Teiji said on February 21, 2019 at 4:42 pm
      Reply

      Looking at Bandizip history, they already fixed several Ace bugs since v6.14:

      v6.14 June 19, 2018

      -Fixed: Cannot extract specific RAR5 format file
      -Fixed: Cannot extract specific RAR format file
      -Fixed: Ace format related bugs
      -ZLIB update(1.2.8->1.2.11)
      -Improved the stability of the program
      -Code refactoring

      https://www.bandisoft.com/bandizip/history/

      1. Tom Hawack said on February 24, 2019 at 2:37 pm
        Reply

        Bandizip 6.21 Build 26481 released, changelog:

        – Stop supporting ACE format due to vulnerability (CVE-2018-20250)
        – Fixed: Crash problem while extracting specific NSIS
        – Fixed: Shell extension does not work for the specific case
        – Some minor bug fixes

    3. Sigitas said on February 21, 2019 at 4:06 pm
      Reply

      i have reinstalled my pc. Current version of Total commander doesn’t have unacev2.dll file.

      1. Tom Hawack said on February 21, 2019 at 7:01 pm
        Reply

        @Sigitas, thanks a lot for pointing this out! Indeed, I’ve proceeded to a clean install of ‘Total Commander’ 9.21a and the install folder has now 34 files instead of 55 previously, and no longer UNACEV2.DLL.

  15. Weilan said on February 21, 2019 at 2:20 pm
    Reply

    I’ve been using Bandizip for years – at first they were using 7-zip as their base, but now they’ve gotten rid of it and are entirely original. I think it’s the best software of them all, gets regular updates and it’s completely free.

    On a side note, since it’s not entirely important – it also looks nicer than WinRAR and 7-Zip.

    1. phxjw said on February 21, 2019 at 5:14 pm
      Reply

      Bandizip is my go to for compression and extraction of files as well. I did notice that it also uses unacev2.dll. Renaming it for the time being to be on the safe side.

  16. TelV said on February 21, 2019 at 2:04 pm
    Reply

    Thanks for the tip Martin. I have v5.61 installed, but I’m reluctant to upgrade a beta version, so I used your workaround to delete the file you mentioned instead.

    1. CalixtoVWR1 said on February 21, 2019 at 9:51 pm
      Reply

      Ditto. And thanks to Martin for the heads-up.

  17. adsarehere said on February 21, 2019 at 2:03 pm
    Reply

    I use 7-zip. No problems ever, free for commercial use, great compression.

    1. Darren said on February 21, 2019 at 8:29 pm
      Reply

      Careful there captain overconfident :)

      7-Zip vulnerability affects security software
      https://www.ghacks.net/2016/05/13/7zip-vulnerability-affects-security-software/

      1. David said on February 23, 2019 at 1:14 am
        Reply

        @Darren

        That’s article dates back to 2016 and the bug has already been fixed as stated in the article.

      2. Kyle said on March 28, 2019 at 8:28 pm
        Reply

        The point being that exploits can be found in different types of software of all different versions. The real issue here is that Winrar doesn’t have an auto-update feature to correct the problem, which leaves more systems vulnerable for an extended period of time. An update function in subsequent releases is the best way to mitigate this vulnerability, but that would still rely on user action to implement.

      3. nosamu said on February 22, 2019 at 4:03 am
        Reply

        From the article:
        “The security vulnerability has been fixed in 7-Zip 16.0 which has been released this month.”
        The current version of 7-zip is 18.06.

      4. ding dong said on February 25, 2019 at 2:01 am
        Reply

        “The current version of 7-zip is 18.06”

        No, now its 19.00.
        From 2019-02-21 on. :)

      5. Rick said on February 22, 2019 at 7:03 am
        Reply

        There have been others, and not all fixed promptly (I’m not even sure that all have been fixed, since information is sketchy).

  18. Belga said on February 21, 2019 at 1:54 pm
    Reply

    I still find this dll in the addon of XnView and in the directory “savapi” of 360TS.
    Thank you for the info.

  19. A.D. said on February 21, 2019 at 1:22 pm
    Reply

    Thanks for the heads up! Heh, I haven’t seen a proper .ACE file in many years.

    1. Martin Brinkmann said on February 21, 2019 at 1:43 pm
      Reply

      I have not seen the format either in the wild. The main issue is how WinRAR handles formats. An attacker could simple rename the prepared ACE file to RAR or ZIP to avoid detection. Doubt many would analyze the files before using WinRAR.

  20. SCBright said on February 21, 2019 at 12:50 pm
    Reply

    The ace format was quite popular in the early 2000s when it provided more compression than RAR.
    I really did not even remember that file format anymore …

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.